At least two thirds of companies experienced a cyber-breach last year and many are not caused by remote hackers but by employees who make an error or act maliciously. For example, deliberately compromising employee data through a grievance (such as the Morrison’s data breech) or for commercial gain by selling information to third parties which is criminal activity.
The UK government recognises this problem and for the past two years has sponsored an annual cyber-breach survey to record the experiences of SME’s and large corporates. The government is also doubling its investment in cyber-security to £1.9bn over the next five years and ranks cyber-security incidents in the top three highest risks to the nation. Cyber- breaches are a known risk at corporate level and now we’re seeing that it’s a risk which filters down.
In the UK, unlike most US states, there is no obligation on companies to notify regulators of security breaches where personal data is compromised. Payment card data, bank account information and National Insurance numbers are all personal data. However, the new General Data Protection Regulation moves us closer to a US model and introduces an obligation to notify the regulator, and in high-risk cases, affected individuals of security breaches where their data is compromised. This regulation would also bring new rights for individuals to have greater control over the use of their data and greater powers for regulators.
New Pan-EU laws require 'operators of essential services' to maintain minimum security requirements and to report cyber-security incidents. This will enable regulators to spot cyber-breach trends and it will also add to transparency across the financial services, utilities, energy, transport and healthcare sectors. Similar requirements are also imposed on digital services providers, online marketplaces, and search engines etc.
How can we better protect our data?
Studies demonstrate that we're terrible at changing default passwords. Whilst there is a significant legislative focus coming from government on organisations to ensure data is secure and that individuals take responsibility for safeguarding their data, a few easy ways you can protect your data right now are:
- Change passwords
- Use more difficult passwords
- Don’t use the same password for every account
- Don’t write down passwords on slips of paper/post-it note
- Take advantage of stronger authentication (e.g. biometric data and eliminating passwords through the use of push-based authentication systems linked to mobile devices)
So you’ve done all this but how can you and your business guard against a cyber-attack?
- Challenge and report suspicious activity (e.g. phising attacks – e-mails from unknown individuals requesting information)
- Ensure privacy settings are used on mobile devices and social media (so you only share what you want to share with who you want to see it)
- Use stronger passwords/authentication techniques
- Checking statements for unusual transactions/unauthorised activity
- Use credit check tools to monitor for unusual activity
- Ignore e-mails that look too good to be true
Any finally always follow advice from companies who hold our valuable information e.g. a bank won't contact you and ask for your details, particularly by e-mail – whilst you might get e-mails that look like they're from a bank, be suspicious of any request (however genuine it looks) to part with valuable personal information (e.g. data of birth/NI numbers/account numbers/sort codes).
Studies demonstrate that individuals are becoming more savvy about online behaviour but there are generational variances and some age-groups are more likely to give away more data than others.
My expectation is that we will see commercial organisations lead the way in improving security, particularly around mobile devices/IT equipment, and this will quickly find its way into the consumer mainstream.
If you have any questions about cyber-crime in UK, our tech team is always on hand to answer your questions, so get in touch via email, or Twitter.
Sign up to our email digest